Bugzilla – Bug 1170898
VUL-0: CVE-2020-12458,CVE-2020-12459: grafana: information disclosure through world-readable grafana database and configuration files
Last modified: 2020-06-10 03:54:25 UTC
CVE-2020-12458 An information-disclosure flaw was found in the Grafana versions <= 6.7.3, the grafana database directory /var/lib/grafana/ and database file /var/lib/grafana/grafana.db is world readable which can result in exposure of sensitive information(e.g plaintext/encrypted datasource passwords). CVE-2020-12459 In addition, for Grafana rpms 6.x through 6.3.6 distributed by Red Hat, configuration files /etc/grafana/grafana.ini and /etc/grafana/ldap.toml which contains secret_key/bind_password are readable to all users. Noteable fixes which removes readable bits: - change permissions of /var/lib/grafana/grafana.db to 640 and user/group grafana:grafana - change permissions of grafana.ini and ldap.toml to 640(contains secret_key/bind_password) - change permissions of /var/lib/grafana to 750 Commits: https://src.fedoraproject.org/rpms/grafana/c/fab93d67363eb0a9678d9faf160cc88237f26277 https://src.fedoraproject.org/rpms/grafana/c/925160cd8de011ab33609023abf961f4ff6ba804 https://src.fedoraproject.org/rpms/grafana/c/f7791a6ad70b7e9da1a30774434fed0eaa5a04a1 References: https://bugzilla.redhat.com/show_bug.cgi?id=1827765 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-12459 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-12458 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12459 https://github.com/grafana/grafana/issues/8283 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12458
It appears to me that all SUSE packages of grafana already create grafana.ini and ldap.ini with correct permissions. /var/lib/grafana/ is not world-readable either. Please verify.
I checked some SOC envs and the directory is drwxr-x--- 5 grafana grafana 4096 Apr 28 07:45 grafana
Thank you for the analysis.